A document included in the trove of National Security Agency files released with Glenn Greenwald’s book No Place to Hide details how the agency’s Tailored Access Operations (TAO) unit and other NSA employees intercept servers, routers, and other network gear being shipped to organizations targeted for surveillance and install covert implant firmware onto them before they’re delivered.
These Trojan horse systems were described by an NSA manager as being “some of the most productive operations in TAO because they pre-position access points into hard target networks around the world.”
The document, a June 2010 internal newsletter article by the chief of the NSA’s Access and Target Development department (S3261) includes photos (above) of NSA employees opening the shipping box for a Cisco router and installing beacon firmware with a “load station” designed specifically for the task.
The NSA manager described the process:
Here’s how it works: shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.
259 Reader Comments
Edit: Disgusting? Sure, if done against those not within the NSA's proper mandate. The technique, however, is fantastic when applied to proper targets. I believe the NSA and other agencies have gone too far, but that doesn't mean they should stop all activity.
Last edited by Nilt on Wed May 14, 2014 2:34 pm
Not unless there's a more attractive bond girl off camera...
If it's against targeted foreign nationals, it's exactly what the NSA is supposed to be doing.
They bloody well should.
Last edited by ev9_tarantula on Wed May 14, 2014 2:42 pm
What's the oversight process? Do they get warrants? Given the NSA's inability to control itself elsewhere, every capability that the NSA has is a liability.
Is Cisco one of the NSA's 80 or so "strategic partners" or would their expressions of shock and outrage be genuine?
Probably less than you think. My guess is that the intercept happens in customs, where long unexplained delays are considered normal.
*It's a small image on mobile but that looks to be the case.
Edit: then again these photos were never intended for public consumption.
Last edited by quantum kittens on Wed May 14, 2014 2:42 pm
If it's against targeted foreign nationals, it's exactly what the NSA is supposed to be doing.
Like Brazilian PetroBras? Damn those bikini waxing terrorists!
It's firmware, so it doesn't look like anything. They're probably just reflashing eproms.
What's the oversight process? Do they get warrants? Given the NSA's inability to control itself elsewhere, every capability that the NSA has is a liability.
Apparently, they have a letter written by Dick Cheney's attorney, that only a handful of people have seen, that allows them to do whatever they want.
I'm over-stating things, but that's how it all started. Frontline did a pretty in-depth exposé last night on this.
http://www.pbs.org/wgbh/pages/frontline/united-states-of-secrets/
Last edited by Goofball_Jones on Wed May 14, 2014 2:47 pm
Does it matter?
This practice means you simply can't buy products directly from US companies if you have something the US might want to know about. I'd actually advise to avoid US made IT products completely if what you are doing is supposed to be a secret from the US government or US companies. You simply can't trust them any more.
At no point. the UK and the USA are both in the Five Eyes Alliance. What the NSA is doing, Mr Bond already has access to.
Probably less than you think. My guess is that the intercept happens in customs, where long unexplained delays are considered normal.
If so, then would we have to assume all of this is done only to international shipments?
Depends. If you're using the built-in firmware flashing utility, then it's probably pretty hard to overwrite. Presumably the NSA has subverted that mechanism as well. And this assumes it is in the chips that can be flashed in software. They might be subverting lower level parts of the system that you don't normally touch.
errr.. this is exactly the sort of thing that Tor is designed to evade.
Of course, if NSA has infected all of the routers, servers, and relays in the network (or over some large fraction), then Tor is compromised.
Probably less than you think. My guess is that the intercept happens in customs, where long unexplained delays are considered normal.
If so, then would we have to assume all of this is done only to international shipments?
Theoretically the CIA's mission is focused on foreign countries, so this seems reasonable.
They just want to know why you haven't been paying your support agreement for the *REDACTED* option module.
Does it matter?
This practice means you simply can't buy products directly from US companies if you have something the US might want to know about. I'd actually advise to avoid US made IT products completely if what you are doing is supposed to be a secret from the US government or US companies. You simply can't trust them any more.
There's a reason certain countries have indigenous IT companies that despite (sometimes) a lack of technical prowess and competitiveness are able to keep going in business. You simply can't trust US technology.
If I was John Chambers (the CEO of Cisco), I'd be weighing my legal options right now--unless, of course, Cisco is one of the NSA's "strategic partners" and the company is cooperating with these shenanigans. In that case, I'd be weighing my legal options anyway (because I'd be expecting a shareholder lawsuit for deliberately tarnishing the Cisco brand name).
errr.. this is exactly the sort of thing that Tor is designed to evade.
Of course, if NSA has infected all of the routers, servers, and relays in the network (or over some large fraction), then Tor is compromised.
Given that the picture is just 3 random guys and a totally ad-hoc setup, it doesn't seem likely that they're doing this on a large scale. The fact that they have to intercept the shipments instead of having Cisco install them at the factory is actually a bit of a pleasant surprise.
Something tells me agents aren't robbing trucks or sneaking into shipment processing centers while wearing ninja costumes.
Does it matter?
This practice means you simply can't buy products directly from US companies if you have something the US might want to know about. I'd actually advise to avoid US made IT products completely if what you are doing is supposed to be a secret from the US government or US companies. You simply can't trust them any more.
The fact that Cisco is a US company is meaningless. Cisco routers are manufactured at facilities in Russia, China, Mexico (formerly), etc. A router purchased in Turkey and manufactured in China isn't going to be shipped through the US. They'll drop-ship it directly to Turkey. The NSA likely has the means to intercept global shipments from multiple hardware vendors to just about anywhere in the world. Given that most international shipments are handled by a very small number of shipping companies I'd be willing to bet that the NSA gains access to the equipment through the shippers and not the manufacturers.
They're a bit inconvenient for hand luggage, and I imagine that minions of the Ruritanian central network-equipment procurement agency find themselves in very long queues at customs once they've checked their shiny new router into hold baggage.
Just because of how physical this action is (and involves tampering with mail) I hope lawsuits and criminal charges are forthcoming, even just to keep pushing this stuff into the limelight since it seems that our 'representative' continue to not realize how absurdly wrong all this is.
You must login or create an account to comment.
Channel Ars Technica
SITREP: President Trump's Missile Defense Strategy
President Trump has a plan to build a missile wall in space, and to make U.S. allies pay for it.
SITREP: President Trump's Missile Defense Strategy
Hybrid Options for US's Next Top Fighter
The Air Force’s Senior Citizen Chopper Can’t Retire Yet
Ars Live #23: The History and Future of Tech Law
Police re-creation of body camera evidence - Pueblo, CO | Ars Technica
Visual Labs body camera software with the Dos Palos PD | Ars Technica
He knew his rights; he got tased anyway